Spoofed Email sent from support@domain.com

[VTC]

A user received four emails this morning, not filtered out as spam from support@<mydomain>.com but the reply to is something else, ie spoofed.

"Dear Customer,

This e-mail was send by <My domain>.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.

(C) <My domain>.com"

With a zip file.

Any one who can felt me adjust my spam rules to block these type of emails would be appreciated.

[phoenix]

What happens if you hit the Junk button to mark them as spam, do they continue to arrive in the Inbox? What are your Kill/Tag percentages set to? Do the headers from the spam show anything significant? Don't forget that fighting spam is an ongoing process and it's never likely to be 100% perfect, the user will always get some spam in the Inbox.

[VTC]

"Return-Path: atlantisz03@rossiter.com
Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.1.9) by
mail.virtc.com with LMTP; Thu, 29 Jul 2010 04:29:43 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by pobox1.virtc.com (Postfix) with ESMTP id 1EB9A4182FD
for <user@raytheonvtc.com>; Thu, 29 Jul 2010 04:29:43 -0400 (EDT)
X-Virus-Scanned: amavisd-new at pobox1.virtc.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-10 required=2.4
tests=[AM:BOOST=-10, BAYES_80=2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no
Received: from pobox1.virtc.com ([127.0.0.1])
by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IPWjskgiTB-B; Thu, 29 Jul 2010 04:29:37 -0400 (EDT)
Received: from CMQUMVKFRQ (unknown [117.201.106.105])
by pobox1.virtc.com (Postfix) with ESMTP id 32B3141802B
for <user@raytheonvtc.com>; Thu, 29 Jul 2010 04:29:36 -0400 (EDT)
Received: from 117.201.106.105 by mail.rossiter.com; Thu, 29 Jul 2010 13:57:47 +0530
Message-ID: <000d01cb2ef7$ecb29f00$6400a8c0@atlantisz03>
From: "raytheonvtc.com Member Services" <support@raytheonvtc.com>
To: <user@raytheonvtc.com>
Subject: raytheonvtc.com account notification
Date: Thu, 29 Jul 2010 13:57:47 +0530
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CB2EF7.ECB29F00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.
"

[VTC]

What happens if you hit the Junk button to mark them as spam, do they continue to arrive in the Inbox? What are your Kill/Tag percentages set to? Do the headers from the spam show anything significant? Don't forget that fighting spam is an ongoing process and it's never likely to be 100% perfect, the user will always get some spam in the Inbox.

1)Well the irony is that the user had some of the sames messages before in junk, I had him move the latest to the junk mail folder in any event.

2) Im not sure I am familiary with Kill/Tag Percentage settings

3) Read the above for the headers of an example.

Ideally I know spam fighting is a constant battle, but Blocking spoofed emails should be more finite.

[phoenix]

1)Well the irony is that the user had some of the sames messages before in junk, I had him move the latest to the junk mail folder in any event.

2) Im not sure I am familiary with Kill/Tag Percentage settings

The settings are on the Global Settings/AS/AV tab and determine what gets tagged as spam and what gets killed.

3) Read the above for the headers of an example.

I would think that the following is causing the problem:

tests=[AM:BOOST=-10, BAYES_80=2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no

Have you got the sending company (mailserver?) whitelisted by any chance? I'm not familiar with that test and the only mention in the forums is this thread: https://www.zimbra.com/forums/admini...hite-list.html

Ideally I know spam fighting is a constant battle, but Blocking spoofed emails should be more finite.

Sorry, that wasn't meant to be a lecture.

[VTC]

So in our current amavid.conf.in we set our domain to have a boost -10
'mydomain.com' => -10.0
Should we not be doing this?

[VTC]

I guess another question is, what is a good Kill/TAG ratio.

For some reason we have some adstract numbers
55 Kill
12 tag.

[phoenix]

So in our current amavid.conf.in we set our domain to have a boost -10
'mydomain.com' => -10.0
Should we not be doing this?

My guess would be no, you shouldn't, as that's what is giving that email a score that is 'not spam'. A question, why do you think that setting is necessary?

I guess another question is, what is a good Kill/TAG ratio.

For some reason we have some adstract numbers
55 Kill
12 tag

I'd say they're a bit on the low side and may remove valid email or give false positives, I have my Kill/Tag set at 66/25 and find that works OK. The obvious thing is if you aren't seeing any false positives or you're not rejecting valid mail then I guess those settings are working for you - those numbers are always a best guess.

[VTC]

These settings have been in place for awhile, and finally we get spam mail with our domain name and viola you have a problem...